This section describes how to use the Certificate Manager. For more information on using certificates, see Using Certificates.
If you are not currently viewing the Certificate Manager window, follow these steps:
The Your Certificates tab in the Certificate Manager displays the certificates on file that identify you. Your certificates are listed under the names of the organizations that issued them. If you can't see certificate names under an organization's name, double-click the name to expand it.
Use the following buttons to view and manage your certificates (most actions require one or more certificates to be selected):
Note: Certificates on smart cards cannot be backed up. Whether you select some of your certificates and click Backup, or click Backup All, the resulting backup file will not include any certificates stored on smart cards or other external security devices. You can only back up certificates that are stored on the built-in Software Security Device.
A certificate backup password protects one or more certificates that you are backing up from the Your Certificates tab in the Certificate Manager.
The Certificate Manager asks you to set this password when you back up certificates, and requests it when you attempt to import certificates that have previously been backed up.
If someone obtains the file containing a certificate that you have backed up and successfully imports the certificate, that person can send messages or access websites while pretending to be you. This can be a problem, for example, if you digitally sign important email messages or manage your bank or investment accounts over the Internet.
Therefore, it's important to select a certificate backup password that is difficult to guess. The password quality meter gives you a rough idea of the quality of your password as you type it based on factors such as length and the use of uppercase letters, lowercase letters, numbers, and symbols. It does not guarantee that your password cannot be guessed, however.
For further guidelines, see Choosing a Good Password.
It's also important to record the password in a safe place—and not anywhere that's easily accessible to someone else. If you forget this password, you can't import the backup of your certificate.
Before deleting one of your own expired certificates from the Your Certificates tab in the Certificate Manager, make sure you won't need it again some day for reading old email messages that you may have encrypted with the corresponding private key.
The People tab in the Certificate Manager displays email certificates you have on file that identify other people.
When people send you digitally signed email messages, Certificate Manager imports their certificates automatically. You can use these certificates to send encrypted messages to those people.
Certificates that identify people are listed under the names of the organizations that issued them. If you can't see certificate names under an organization's name, double-click the name to expand it.
Use the following buttons to view and manage your certificates (most actions require one or more certificates to be selected):
Before deleting someone else's certificate from the People tab in the Certificate Manager, make sure you won't need it again some day to send encrypted email to that person or to verify digital signatures on messages from that person.
The Servers tab in the Certificate Manager displays certificates you have on file that identify servers (websites, mail servers).
Certificates that identify servers are grouped under the names of the organizations that issued them. If you can't see certificate names under an organization's name, double-click the name to expand it.
Use the following buttons to view and manage your certificates (most actions require one or more certificates to be selected):
When you select a website certificate from the
Servers tab in the Certificate Manager and click Edit,
you see a window entitled Edit website certificate trust settings
.
Here you specify whether you want to trust the selected certificate for
identifying the website and setting up an encrypted connection.
The dialog box contains these elements:
name of certificatewas issued by: Provides information about the certificate authority that issued this certificate.
Click OK to confirm your choice.
Before deleting a server certificate from the Servers tab in the Certificate Manager, make sure that you won't need it again for the purposes of identifying a website or mail server and setting up an encrypted connection.
The Authorities tab in the Certificate Manager displays the certificates you have on file that identify certificate authorities (CAs).
CA certificates are grouped under the names of the organizations that issued them. If you can't see certificate names under an organization's name, double-click the name to expand it.
Use the following buttons to view and manage your certificates (most actions require one or more certificates to be selected):
To ensure that an entire certificate chain of CAs are all trusted, you need to edit the root CA certifiate only.
To import the chain, you click a link on a web page provided by the CA. You can then use the authorities tab to locate the root certificate and edit its trust settings.
The root and intermediate CAs all appear under the same organization. The root certificate is the one that lists itself as the issuer.
If you download an intermediate CA: If you download an intermediate CA certificate that chains to a root certificate already marked as trusted in your browser, you don't have to indicate what purposes you trust it for. Intermediate certificates automatically inherit the trust settings of their roots.
When you select a CA certificate from the
Authorities tab in the Certificate Manager and
click Edit, you see a window entitled Edit CA certificate trust
settings
. Here you specify the kinds of certificates you trust this CA
to certify. If you deselect all the checkboxes, Certificate Manager will not
trust any certificates issued by this CA.
The settings have these effects:
Click OK to confirm the settings you have selected.
Before deleting a CA certificate from the Authorities tab in the Certificate Manager, make sure that you won't need it again to validate certificates issued by that CA. If you delete the only valid certificate you have for a CA, Certificate Manager will no longer trust any certificates issued by that CA.
The Others tab in the Certificate Manager displays certificates you have on file that do not fit in any of the other categories, i.e. certificates that neither belong to you, other people, servers or CAs.
Other certificates are grouped under the names of the organizations that issued them. If you can't see certificate names under an organization's name, double-click the name to expand it.
Use the following buttons to view and manage your certificates:
This section describes the options available in the Device Manager window. For background information and step-by-step instructions on the use of the Device Manager, see Managing Smart Cards and Other Security Devices.
If you are not currently viewing the Device Manager window, follow these steps:
The Device Manager lists each available PKCS #11 module, and the security devices managed by each module below the module's name.
When you select a module or device, information about the selected item appears in the middle of the window, and some of the buttons on the right side of the window become available. In general, you perform an action on a module or device by selecting its name and clicking the appropriate button: